You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2019/10/11 10:45:19 UTC
[syncope] branch master updated: Disallow Doctypes for
SAXParserFactory
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/master by this push:
new a7a3009 Disallow Doctypes for SAXParserFactory
new 16fb995 Merge pull request #129 from coheigea/doctypes
a7a3009 is described below
commit a7a3009a5002f6e72fe5d19eb99382c28f374799
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 11 11:35:34 2019 +0100
Disallow Doctypes for SAXParserFactory
---
.../apache/syncope/core/persistence/jpa/content/XMLContentLoader.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
index db95a6a..9c1b502 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
@@ -112,6 +112,7 @@ public class XMLContentLoader implements ContentLoader {
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
try (contentXML) {
SAXParser parser = factory.newSAXParser();
parser.parse(contentXML, new ContentLoaderHandler(dataSource, ROOT_ELEMENT, true, env));